Could the blockchain enforce PoPI?

Oct 24, 2017

The Protection of Personal Information (PoPI) Act is looming on our horizon. South African organisations are busily preparing for it despite there still being much debate about what the real impact will be and whether or not it will be truly effective.
However, one thing is certain, a legislation that protects personal information (that is, any information relating to an identifiable, living person) is necessary, and any technology which could support PoPI within the business should be seriously considered, writes Vishal Barapatre, chief technical officer at In2IT Technologies.
One technology that seems purposefully built for protecting information is the blockchain. Although one of the selling points of blockchain technology is its inherent transparency, it certainly has effective security measures. This begs the question, could the transparency of blockchain technology conflict with the regulations that PoPI lays out, or does it add another mechanism for compliancy?

The blockchain, and PoPI compliancy
With the implementation of PoPI, organisations will need to be more sensitive around the privacy of their customers’ information — or be penalised.
To do so, they will have to be more organised around the storage, use and dissemination of this data so as not to overstep the bounds of PoPI, and to take care of their customers’ privacy. There needs to be a level of ‘proof’ of where the data is kept, how it is used and who has access to it at any given time.
This requirement fits in with the purpose of the blockchain: to provide a verifiable record of any data transaction, including who accesses the said data.
The blockchain is a shared digital transactional ledger that securely records and regularly reconciles transactions of virtually anything of value. Therefore, Blockchain provides accurate traceability and in turn, promotes accountability.
Essentially, what the blockchain does for data storage is provide ratified certainty that all the due diligences have been conducted around a piece of data, and a means for recourse should data be unlawfully used or accessed.
There is also the security factor, which appeals to compliancy requirements of PoPI. The blockchain offers unparalleled security features, given its multi-verification nature and tamper proof mechanism of protecting already verified data. If current trends are anything to go by, the blockchain will only get more secure, which makes it ideal for use as a potentially impenetrable storage mechanism.

Any concerns?
The question around transparency still exists. Surely a platform that specifically highlights transparency as a benefit automatically precludes it from being suitable for an act which stresses the protection of a person’s privacy? Not necessarily …
A blockchain can be programmed with certain pre-defined rules, or permissible actions, around what may be done with any piece of personal information, based on the type of information it is. Although the information may be visible to anyone with access to the blockchain on which it sits, these parameters automatically create alerts when certain data is accessed, used, or disseminated in any way that falls outside their bounds.
Granted, there is still the risk that the data may be accessed by unauthorised individuals, but the organisation will be alerted and can take immediate action. The blockchain provides verifiable proof of who accessed the data illegally, for what reason, and what was done with the data. It can then be raised with the PoPI regulator, if required, or can take internal action, as desired (or as required by policy and/or law).
The only real grey area with using the blockchain for complying with data storage, is that there will exist a permanent, in-erasable record of the data, indefinitely. PoPI does define that an organisation must honour an individual’s request for their data to be removed once it is no longer in use.
The immutability of the blockchain could prove a problem, nevertheless an organisation still retains control of who may or may not access the data, and could exercise that control to ensure that the data remains all but invisible for its lifespan.